Cookie SameSite defaulting to Lax instead of None in more and more browser - Cookie h_api_authcookie.v2 rejected in iFrame

[f2boot]

Hi

I am happy using pdf.js + hypothes.is in an iframe on the website of a learned society that produced many documents in pdf format.

I have noticed in the browser console that Cookie h_api_authcookie.v2 is rejected, most probably because SameSite now defaults to Lax instead of None.
That does not seem to block the use of hypothes.is in an iframe but implementing "Secure;SameSite=None" may help and recommendations would be very nice

Many thanks

[robertknight]

I have noticed in the browser console that Cookie h_api_authcookie.v2 is rejected, most probably because SameSite now defaults to Lax instead of None.

That cookie is only used when you visit https://hypothes.is directly in a top-level frame. The Hypothesis client happens to be served from https://hypothes.is which would explain why the browser might try to send it unnecessarily, if it doesn't block third-party cookies (which we assume browsers may do).

[robertknight]

This issue was originally filed in https://github.com/hypothesis/pdf.js-hypothes.is/issues. I moved it here because h is the application that sets the cookie.